Secure Chorus' presentation at the TechUK event on "Open Banking, PSD2 and the Cyber Challenges Facing the Financial Services Sector"
Please visit https://www.securechorus.org/resources to access the White Paper
08448380779 Call Girls In Civil Lines Women Seeking Men
PSD2 and the Cyber Security Related Challenges Facing the Financial Services Sector
1. PSD2 and the Cyber Security Related Challenges Facing the
Financial Services Sector
1
Roderick Hodgson, Director
Contact details:
Email: r.hodgson@securechorus.org
Mobile: +44 (0)7500828852
2. Agenda 2
1. Secure Chorus: our story
2. PSD2: a changing industry
3. PSD2: cybersecurity requirements
4. Open standards for securing data and assuring the identity of interfaces
5. Secure Chorus: addressing the requirements of PSD2
4. 4
An industry-led initiative since 2012
Secure Chorus brings together vendors, operators and system integrators to develop a global interoperable &
secure multimedia communications ecosystem of products and services to simplify inter-organisational
communications in enterprise and government,
We are an independent, not-for-profit membership organisation
Secure Chorus Ltd was incorporated in September 2016. Prior to that date it was an informal industry group
meeting on a regular basis since beginning of 2012 and including NCSC, Vodafone, O2, BAE Systems,
Leonardo, Armour Communications, Cryptify, SQR Systems and Serbus.
Our members & observers
Our members include vendors and users of secure communications ranging from governments, supranational
organisations and major corporates to SMEs and start-ups. Secure Chorus also welcomes observers such as
regulators, academic institutions, standards organisations and trade associations.
Secure Chorus: our story
5. 5
Our user members
Secure Chorus’ membership enables our user members to tap into the talent, experience and passion of our
vendors, to address the biggest secure multimedia communication challenges on their mind. Purchasing Secure
Chorus Compliant Products will result in lower costs, increased capability and higher aggregate security for
users.
Secure Chorus: our story
We work together with our vendors to develop interoperability standards for secure communication to meet the
requirements of a wide range of use cases. Uniquely, we go beyond the technology and seek to establish a
mutually beneficial ecosystem model amongst our community of vendors and users.
Our work
6. 6
PUBLIC SAFETY FINANCIAL
SERVICES
PROFESSIONAL
SERVICES
HEALTHCARE
• Secure Chorus was primarily designed to support the UK government requirement for secure
communications. This includes a range of applications including PUBLIC SAFETY.
• Since then there has been interest from security-conscious enterprises with similar requirements. This
includes FINANCIAL SERVICES, PROFESSIONAL SERVICES and HEALTHCARE SECTORS.
Secure Chorus: our story
8. The Payment Services Directive 8
Harmonizing
regulation across
Europe
Opening the
marketplace to
new participants
Payment Services
Directive
9. GEOGRAPHICAL
EXPANSION
TOWARDS EU-WIDE
MARKETS
THE GROWTH OF
FINTECH AND NEW
BUSINESS MODELS
Changing trends 9
PSD2 expands the directive’s scope, it clarifies the exceptions from it and it
strengthens security and customer authentication
10. 10
Account Information Services
Providers (AISPs) allow payment service
users to have an overview of their financial
situation at any time, hence allowing users
to better manage their personal finances.
USER AISP
BANK A
BANK B
Third-party providers: definitions
11. 11
Payment Initiation Services Providers (PISPs) allow
consumers to pay via simple credit transfer for their
online purchases, while providing merchants with the
assurance that the payment has been initiated so that
goods can be released, or services provided without
delay.
USER PISP BANK
Third-party providers: definitions
MERCHANT
12. 12
Banks will open their IT
infrastructure to third party
payment providers
businesses must implement the right technical solutions to achieve the goals of
the regulation, while safeguarding their users’ data and the trust their users
have placed in them.
14. 14
Security of credentials (Article 66, 67)
PSD2 requires that a user’s personalised credentials are kept secure and transmitted from a PISP or AISP to the
issuer of such credentials in safe and efficient channels.
Traceability (Article 72)
In the event of disputes, payment service provider will need to provide evidential records. This shows a key
requirement for the maintaining of auditable records, which need to meet the other articles’ requirements on
security.
Auditability (Article 95)
Payment service providers will need to ensure they can appropriately monitor, assess and audit their
cybersecurity capability, and respond to cybersecurity incidents with appropriate processes.
PSD2: regulatory requirements
Authentication (Article 97)
Account service providers will need to authenticate not only the users, but all third-party services it shares data
with.
15. 15
PSD2: The regulatory technical standards
Regulatory technical standards on
authentication and communication
(Article 98)
The European Banking Authority will draft
Regulatory Technical Standards (RTS)
addressing secure open standards of
communication and the protection of users’
data.
the RTS must not prescribe the use of any
specific industry standard of internet
communication
16. 16
PSD2: The regulatory technical standards
The RTS highlights the need for:
Security measures Open standards for secure
communication
17. 17
• confidentiality of personalised security credentials must be
ensured, and that to do so, processing and routing of the
data needs to be done in secure environments. Including the
delivery to third parties.
• Detailed logging of the transaction, ensuring full knowledge
of all events relevant to any electronic transactions
performed via this mechanism can be obtained by
authorised parties
Security and traceability
Security measures
18. 18
• Banks must provide an interface, ideally dedicated to this
purpose
• Use of secure communication standards which are open and
widely available, including strong and widely recognised
encryption techniques
• Qualified certificates must be used authenticate services
against one-another
Interfaces
Open standards for secure
communication
20. 20The need for interoperable and open standards
KNOWN AND OPEN SPECIFICATIONS
Allows for assessment that the technology
meets the desired security requirements
COMPLIANCE
ASSESMENT
INTEROPERABILITY
OPERATING BEYOND THE PERIMITERS OF AN
ORGANISATION
Processing payment data, credentials and personal
data within the security perimeter of the
organisations and beyond
21. 21identity-based public key cryptography: a
unique approach
END-TO-END
ENCRYPTION
Can be used in a
variety of
environments, both at
rest (e.g. storage) and
in transit (e.g. network
systems)
ENTERPRISE
CONTROLLED
ACCESS TO DATA
Full control of the
system security and
ability to comply with
auditing requirements
through a managed
and logged process.
DATA SECURITY TRACEABILITY SCALE
IDENTITY BASED PUBLIC
KEY
Encryption for a user’s
identity in a PSP while also
providing authentication of
the PSP from which the data
has originated. Without the
need for a complex
supporting infrastructure.
23. Based upon COMMUNICATION and
CRYPTOGRAPHY STANDARDS
documented by international standards
bodies (IETF and 3GPP).
An open-source code library is available.
INDUSTRY OPEN
STANDARDS
Our members collaborate to develop
open INTEROPERABILITY
STANDARDS that will allow their
products to interoperate.
SECURE CHORUS OPEN
STANDARDS
Secure Chorus: standards 23
INTEROPERABILITY
TELECOMS
(SIP/VoIP, OPUS)
END-TO-END ENCRYPTION
(MIKEY-SAKKE, SRTP)
24. 24
END-TO-END
ENCRYPTION
Can be used in any
environment without
needing trust, both at
rest (e.g. storage) and
in transit (e.g. network
systems)
ENTERPRISE
CONTROLLED
ACCESS TO DATA
Full control of the
system security and
ability to comply with
any auditing
requirements through
a managed and
logged process.
DATA SECURITY DATA OWNERSHIP INTEROPERABILITY SCALE
KEY MANAGEMENT
SERVER
Secure Chorus KMS
approach simplifies
inter-organisational
communications, without
bringing external users
into internal security
perimeters
ANY PLATFORM OR
INFRASTRUCTURE
Users have the
freedom and flexibility
to deploy platforms and
infrastructure to meet their
requirements.
IMPLEMENTATION
AGNOSTIC
Secure Chorus: Secure Chorus Standards
IDENTITY BASED PUBLIC
KEY
Does not require
expensive and complex
supporting infrastructure
for distributing credentials,
allowing for at-scale
implementation.
FLEXIBILITY
REAL-TIME & DEFERRED
COMMUNICATION
Supports both
real-time communications
(such as one-one
and multi-party calls)
and deferred delivery (such
as messaging and
voicemail).
25. 25
Ecosystem
Model
Community Technology
Innovation
Thought
Leadership
We offer an ecosystem
of interoperable secure
communications
products and services to
have communications
available to only those
who need to know
We improve the value
proposition of our vendors’
products and services.
We offer to our users higher
aggregate security
We tap into the talent,
experience and passion
from our vendors, operators and
system integrators to address
the biggest secure
communication challenges on the
minds of our users
By harnessing the collective
strength of our members, we
keep the need for secure
communication at the heart of
enterprise governance across
sectors globally
Secure Chorus: our approach